TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Could Canada lose its adequacy standing? Related reading: Mass. weighs in on Equifax: Who else might?

rss_feed
PrivacyTraining_ad300x250.Promo1-01
PSR17_WebBanner_300x250-COPY
iapp-privacycore

The world has changed a lot since the European Commission gave Canada its "adequacy" standing in 2001, determining the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA, properly protects personal data transferred from the EU to Canada. Technology has evolved and so with it has the ability to collect massive amounts of data. Add to that the growing prevalence of surveillance, and countries generally have found their data privacy laws need to evolve, as well.

But Canada is one country that hasn't evolved its privacy quite in line with its allies near and far, and because it has been quite some time since Canada's adequacy status has been reviewed, some wonder whether the country could lose its standing once the General Data Protection Regulation comes into force next May.

Adequacy is reached when the European Commission deems a country's laws protective enough to allow data to travel from inside the EU to the country in question. A country can receive its standing several ways, including a proposal from the European Commission or through an opinion from an EU member state's data protection authority and the European Data Protection Supervisor. The European Parliament can request the commission maintain, amend or withdraw the adequacy standing if needed. 

According to those interviewed by The Privacy Advisor, privacy professionals largely agree Canada could lose its adequacy standing should a future review occur. The real questions surround whether that could happen anytime soon, the impact on Canadian business if the country were to lose its status, and what Canada would do if it faced a review. 

"When the EU Commission originally gave Canada its adequacy, it was done so reluctantly," said IAPP Canada Managing Director Kris Klein, CIPP/C, CIPM. "While the rest of the world has seemed to have modernized and has had privacy laws go through multiple evolutionary steps, Canada’s have remained stagnant and haven’t really changed, and when you compare Canada’s regime now to the GDPR, I think it would be very unlikely to see the Europeans give Canada its adequacy finding again."

University of Ottawa Law Professor Michael Geist shared Klein's views on the evolution of privacy laws, specifically with the laws in the European Union. Geist also cites Canada's participation in the Five Eyes intelligence-sharing program with the U.S., U.K., Australia and New Zealand as a major reason why Canada's adequacy status would be in jeopardy. It's no secret the EU has been displeased with the secrecy surrounding government access to data in such jurisdictions.

However, while a review could mean Canada losing its adequacy, the chances of a review coming in the near future seem less likely.

Canada and the EU recently finalized the Comprehensive Economic and Trade Agreement. Geist said if the EU was concerned about Canadian privacy law, it would have addressed it while negotiating the agreement. 

Bird & Bird Associate Gabe Maldoff, CIPP/US, said Canada has managed to avoid a lot of the media controversy surrounding data issues that have plagued the U.S., making it unlikely for it to be at the top of the list if adequacy reviews were to ramp up.

NNovation Partner Shaun Brown said the U.S. and President Donald Trump are far likely to be a bigger concern for Europe than Canada, a sentiment shared by other privacy professionals.

"There are two ways adequacy comes up for review. One is through a court case, through a Max Schrems–style advocacy effort. In that sense, it’s clear that the U.S. is the bigger target," Maldoff said. "Not just because of Trump, but because the U.S. has so many more service providers that are offering services to Europeans. There aren’t too many big, data-heavy Canadian companies that are as visible a target as Google or Facebook."

While an adequacy review may not be imminent, the privacy community in Canada is paying attention to the situation, but Maldoff said since the privacy community in Canada isn't as large as it is in the U.S. or U.K., the conversation isn't as loud.

Canadian privacy professionals may also have their eyes focused on other issues.

"I wouldn’t say that it is an issue that gets raised regularly, and that also may explain why it hasn’t gotten the attention it otherwise deserves," Geist said. "When I think of the corporate advisory privacy community, they’re focused primarily on ensuring compliance with the existing rules and other laws, like Canada’s Anti-Spam Legislation, and spend less time arguing for further privacy reform."

One reason why adequacy may not be a hot topic is due to the fact the Canadian government hasn't done much to enhance its privacy laws, so PIPEDA isn't much in the public eye. However, this spring, a House of Commons committee did take a look at PIPEDA in light of the GDPR and heard testimony from a host of privacy experts. Adequacy was certainly a topic of concern there, and the Office of the Privacy Commissioner has loudly supported PIPEDA reform. 

Klein said as other countries with an adequacy designation are revamping their data protection laws, he would expect Canada to do the same but isn't confident in the Canadian government to do so.

"We’ve taken, at the most, small baby steps to fix little things that were wrong with it," Klein said. "Now, as a result, we are wholly behind the eight ball in terms of matching protections in Canada that are found elsewhere in the world. I think they are going to wake up and smell the coffee on this, but I don’t know because they don’t have a track record of being proactive at all."

Geist agreed with Klein that the Canadian government has been slow to reform the law, saying there have been long stretches of time when the Canadian government did not take reviewing the law seriously.

If Canada were to lose its adequacy standing, opinions on the level of impact it would have on the Canadian economy have been mixed. 

Brown believes the impact on Canadian businesses would be low, as many of his clients do not handle European data. However, Brown does say those companies who do handle European data would be in for a regulatory nightmare were Canada's adequacy to be revoked.

Geist said, given Canada and Europe recently agreed to the CETA, the economic implications could be enormous for Canada, assuming a reasonable level of enforcement.

Maldoff said adequacy does not automatically mean a country's economy is in trouble, but it could be if there are no backup options.

"If you lose adequacy, and there are still alternative mechanisms, like standard contractual clauses, it’s messy and more complicated to do business, but it’s not a really significant impediment. It’s a paperwork issue," Maldoff said. "If you lose adequacy, and in the process, those other mechanisms are destroyed, as well, so there are no more standard contractual clauses to rely on, then clearly that’s much more significant because virtually all trade is going to involve some form of data back and forth."

The future regarding Canada's adequacy standing remains a mystery. Klein believes it may take a full-fledged review before the Canadian government is motivated to renovate its privacy laws, while Geist thinks any changes to avoid an adequacy challenge will be small.

"I don’t see an overhaul or a major upgrade in the near term. Certainly not in the current life of this government before the election in 2019. We may well see piecemeal legislative changes or small reforms that I would hope and expect that elements of the last law will finally make their way through the regulatory process, notably with security breach disclosure reporting," Geist said. "I don’t think we are at a total standstill here, but I don’t foresee a major, robust reform effort in the short term."

Maldoff said the Canadian government is receptive to adapting its legislation in order to avoid the spotlight and expects Canada to make changes to its law in response to changes in Europe. Brown agrees in thinking Canada will look to keep a low profile.

"Canada is not the biggest country in the world from a data perspective. I think we lay low," Brown said. "If I were to make a prediction, we are probably not that much of a concern to the EU right now, and I can easily see this just lingering for another decade or more. I think the EU has their hands full with Donald Trump right now."  

photo credit: Ian Muttoo Happy Canada Day! via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment Ken Mortensen • Jun 27, 2017
    EU "Adequacy" has always been held out as this "brass ring" that only the 'best' could ever hope to achieve.  The reality is different - yes, it is hard to achieve, but it will likely never be 'achievable,' even with all the requirements met (and as laid out by the EU) by certain countries, such as the United States.  Also, if the member state laws were set against the same measures, even if you limited it to just surveillance law, it would seem unlikely that individual member states would gain it. 
    
    See, https://www.hoganlovells.com/en/news/hogan-lovells-white-paper-examines-national-security-access-to-personal-data-in-the-worldwide-cloud